Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook

From: Dennis Peterson <dennispe(at)inetnw.com>
Date: Mon Oct 01 2007 - 23:13:18 EDT

Chinh Nguyen Tam wrote:

> Dennis Peterson wrote:

>> Chinh Nguyen Tam wrote:
>>> Greetings,
>>>
>>> We've notice some strange behavior of clamav in our email server for.
>>> When we try to send some email (HTML format, Outlook 2003) with URL
>>> inside, clamav detects these email as Email.Foolball-2 virus. If we send
>>> the emails with the same URL in Thunderbird HTML format or in pure text,
>>> clamav will let the emails pass by.
>>> You can see the example of one Outlook HTML attached in this messages
>>> (please unpack with gzip).
>>> Please advice if anyone met the same problem before and how to solve this.
>>>
>>> Thank you very much!
>> If your message contains a url such as http://123.231.255.29/, in other words a URL
>> made up from an IP address, and if that URL is preceded by the word "tracker" then
>> the message will fail. In fact I had to reword this post to get past the av filter.
>>
>> dp

> 
> Yes, our emails contain urls with IP. We must change it so something 
> like hxxp://123.123.123.123 to pass the filter. But you know, It's a bit 
>    noisy for the users. It'd be ok if there's a tip to disable this kind 
> of check from clamav.

Perhaps setting this option in your clamd.conf file will help.

# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes

PhishingScanURLs no

The default is Yes.

dp

---

Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html Received on Mon Oct 1 23:15:26 2007